Wireless Clients connecting to captive-portal SSID are unable to get an IP after quick reconnection

Aruba Employee

Question : Why are wireless clients connected to a captive portal SSID not getting an IP if they disconnect and re-connect in quick succession?

 

Environment Information : Any Aruba OS
Any Aruba AP
Any Aruba Controller

 

Symptoms : Working wireless clients unable to get an IP if they disconnect and reconnect to wireless.  If we clear the user entry using "aaa user delete mac <user-mac>", the user will be able to connect and get an IP address fine.

 

Cause :

 

We keep the L3 entry (user-table) of the user until the expiry of the timer "User Idle-Timeout".  This is 5 minutes by default.  Hence if an authenticated captive-portal user disconnects from wireless and quickly reconnects within 5 minutes (say) then the user is punted to the post-auth role on the Controller.  If post-auth role is restrictive enough then we can potentially block DHCP and hence prevent user from getting an IP address.

 

Resolution :

 

If a captive portal authenticated user disconnects from the wireless and reconnects within the "user idle-timeout" period (default 5 minutes), then the will be pushed directly to post-authentication role on the Controller.  However the user will still need to either renew its IP address or get a new IP address from DHCP.  This user attempt to acquire a new IP or renew its IP address, will fail if DHCP is blocked in the post-authenticated role.  Hence we can resolve this issue by allowing DHCP on the post-authenticated role.

 

 

Answer :

 

For the duration of idle-user timeout (default is 5mins), we remember the user IP (L3) entry for authenticated users on the Controller.  This is especially useful for captive portal authenticated users that re-connect to the wireless within  a short time so that they do not need to re-authenticated at the captive portal page again. If an authenticated user disconnects from wireless and reconnects within the configured "user idle-timeout" then we will pushed the user directly to post-authentication role.  

Now, since the user disconnected from wireless and re-connected, it will try to do a “DHCP DISCOVER”.  We hence need to allow “DHCP” on the post-authenticated role to allow user to get an IP address this time.  

For Example:
Consider a user in post-authenticated role "webaccess".

Configuration before change:

(Aruba) #show rights webaccess
 
Derived Role = 'webaccess'
Up BW:No Limit  Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 78/0
Max Sessions = 65535
 
 
access-list List
----------------
Position  Name    Type     Location
--------  ----    ----     --------
1         WebAcc  session  
 
WebAcc
------
Priority  Source  Destination              Service        Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------              -------        ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any                      udp 68         deny                             Low                                                           4<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<NO ACL ALLOWING DHCP
2         user    any                      svc-dns        permit                           Low                                                           4
3         any     any                      tcp 26000      permit                           Low                                                           4
4         any     any                      svc-ssh        permit                           Low                                                           4
5         user    any                      svc-https      permit                           Low                                                           4
6         user    any                      svc-http       permit                           Low                                                           4
7         user    any                      tcp 8080       permit                           Low                                                           4
8         user    127.108.0.0 255.255.0.0  tcp 9100       permit                           Low                                                           4
9         user    any                      tcp 7777       permit                           Low                                                           4
10        user    any                      svc-ftp        permit                           Low                                                           4
11        user    127.108.2.46             any            permit                           Low                                                           4
Expired Policies (due to time constraints) = 0


Configuration Change:
(Aruba)# config term
(Aruba) (config)# ip access-list session WebAcc
(Aruba) (config-sess-WebAcc)# any any svc-dhcp permit position 2
(Aruba) (config-sess-WebAcc)# write mem

Configuration After Change:
(Aruba) (config-role) #show rights webaccess                 
 
Derived Role = 'webaccess'
Up BW:No Limit  Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 77/0
Max Sessions = 65535
 
 
access-list List
----------------
Position  Name    Type     Location
--------  ----    ----     --------
1         WebAcc  session  
 
WebAcc
------
Priority  Source  Destination              Service        Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------              -------        ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any                           udp 68         deny                             Low                                                           4
2         any     any       svc-dhcp permit        Low                                                                                                  4   <<<<<<<<<<<<<<<<<<<<<<<<<<ACL PERMITS DHCP                                             3         user    any                      svc-dns        permit                           Low                                                           4
4         any     any                      tcp 26000      permit                           Low                                                           4
5         any     any                      svc-ssh        permit                           Low                                                           4
6         user    any                      svc-https      permit                           Low                                                           4
7         user    any                      svc-http       permit                           Low                                                           4
8         user    any                      tcp 8080       permit                           Low                                                           4
9         user    127.108.0.0 255.255.0.0  tcp 9100       permit                           Low                                                           4
10         user    any                      tcp 7777       permit                           Low                                                           4
11        user    any                      svc-ftp        permit                           Low                                                           4

Note: Please note that the issue of users not getting an IP after reconnection to wireless might be exacerbated in cases where the user idle-timeout is a higher than the default value.  

 

Version history
Revision #:
1 of 1
Last update:
‎07-14-2014 06:28 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: